Setting Up Google 2F Authentication for Automated (Crontab) rsync

Neo · September 1, 2019, 4:15am

Dear All,

I have Google Two Factor (2F) Authentication enabled for sshd on most of my Linux servers. This works well and I highly recommend it.

My question is:

Has anyone set this up for rsync which runs in a crontab ?

For example, supposed we have this simple crontab script:

/usr/bin/rsync -qpavzh --rsh="/usr/bin/sshpass -f '/var/local/.secure' ssh -o StrictHostKeyChecking=no -l user" user@myserver.com:/var/data/dumps/ /var/data/dumps/

This works fine, of course, when syncing some backup files across the net without 2FA; but I want to do the same thing using Google Authenticator for 2FA.

Has anyone set this up on any of their servers?

Thanks.

MadeInGermany · September 2, 2019, 2:34pm

A non-interactive password/passphrase/key authentication requires full trust of the involved tools.
Openssl/Openssh? Okay, can be trusted. But Google? And do you trust the 2nd factor device?

Neo · September 2, 2019, 11:59pm

Hi MIG,

I use the same Google Authentication PAM module which most everyone else uses (on Linux) , and I'm OK with it.

sudo apt install libpam-google-authenticaton

This is a well established PAM lib enabled by adding the following to the end of the /etc/pam.d/sshd file

...
auth required pam_google_authenticator.so

and then we simply modify the /etc/ssh/sshd_config file as follows:

...
ChallengeResponseAuthentication yes
...

and then we restart sshd :

sudo systemctl restart sshd.service

and run:

google-authenticator

in the user account which sets everything up for the user and we add the details to the Google Authenticator app.

This is well established and well documented on the net.

I was going to use Symantec VIP Access but those libs are not freely available for the server side.

I'm not worried about the integrity of this method.

I am only concerned about how to pass the 2FA token in a cron file for rsync and so I asked if anyone had done the same, as I could not find anyone (on the net) who has passed the 2FA token and the password using rsync in cron.

It's not a big deal, as I can set up a user for only rsync and use pam_succeed_if.so to permit that user account to bypass 2FA, but I was looking for a solution to pass the 2FA token instead of bypassing for a single user on the server as we do with sshpass in this example:

/usr/bin/rsync -qpavzh --rsh="/usr/bin/sshpass -f '/var/local/.secure' ssh -o StrictHostKeyChecking=no -l user" user@myserver.com:/var/data/dumps/ /var/data/dumps/

But so far, I cannot find a solution by someone else who has done with this rsync and libpam-google-authentication .

I'm OK with having a special, restricted userid which bypasses 2FA; but I would prefer not to do this and send the 2FA token along with the username and password in the rsync cron script. That's way I asked "has anyone else done this" and posted the rsync example.

Neo · September 3, 2019, 4:10am

As a temporary measure I used this line before the auth required pam_google_authenticator.so line in /etc/pam.d/sshd

auth [success=done default=ignore] pam_succeed_if.so uid = 3333

This effectively permits the user with uid 3333 to bypass 2FA.

I will keep working / looking for / thinking about a different solution which does not bypass 2FA and instead passes the 2FA token for rsync .

Neo · September 4, 2019, 12:34am

Update:

I think I have a potential "better" solution than sending the 2FA token with rsync.

What I did was I created a bypass for the rsync user process in / etc/pam.d/sshd as above (earlier post) and then added 2FA to /etc/pam.d/sudo as follows:

auth required pam_google_authenticator.so

So, now even if the rsync user account is compromised, 2FA authentication is required to sudo for all users.

However, the good and bad news is that this also means that 2FA is required for all sudo processes, so I might have to carefully implement this solution since other automated Linux processes rely on sudo (I think, need to confirm) and will need to configure 2FA for those situations.

Neo · September 4, 2019, 12:53am

OK... for final (now testing) implementation I just looked in /etc/sudoers and added all the required 2FA bypass like this in /etc/pam.d/sudo , for example:

auth [success=done default=ignore] pam_succeed_if.so debug uid = 2222
auth [success=done default=ignore] pam_succeed_if.so debug user ingroup root admin sudo
auth required pam_google_authenticator.so

Seems to work fine after (admittedly short) testing and with the debug option, can check system logging as well.

Update: Testing has been very successful so far.